def test_rules(self):
import rules
rules.remove_perm('accounts.add_user')
rules.add_perm('accounts.add_user', rules.always_allow)
user = User.objects.create_user(
username='******', nickname='user1', password='******',
user_type=UserType.government)
self.assertTrue(user.has_perm('accounts.add_user'))
def setup_test_perms():
"""
Create missing permissions that would be defined in edx-platform,
or elsewhere.
edx-platform imports tests from edx-proctoring, which causes duplicate
rules, so ignore the KeyError thrown by the rules package.
"""
try:
rules.add_perm('accounts.can_retire_user', rules.is_staff)
except KeyError: # pragma: no cover
pass
try:
rules.add_perm('edx_proctoring.can_take_proctored_exam', rules.always_true)
except KeyError: # pragma: no cover
pass
import rules
from ..profiles.models import Profile
@rules.predicate
def is_organiser(user, local_group):
return local_group.organisers.filter(pk=user.pk).exists()
@rules.predicate
def is_approved(user):
try:
profile = user.profile
except Profile.DoesNotExist:
return False
return profile.is_approved
rules.add_perm("localgroups.create_local_group", is_approved)
rules.add_perm("localgroups.change_local_group", is_organiser)
rules.add_perm("localgroups.delete_local_group", is_organiser)
def get_context_data(self, **kwargs):
ctx = super().get_context_data(**kwargs)
ctx.update(next=urlquote(reverse("profile")))
return ctx
@rules.predicate
def can_change_userprofile(user, userprofile):
print(user, userprofile)
if not user or not userprofile:
return False
return userprofile.user == user
rules.add_perm('userprofile.can_change', can_change_userprofile)
class UserSocialAuthChangeView(LoginRequiredMixin, DetailView):
model = UserSocialAuth
allowed_methods = ['post']
def get_object(self, queryset=None):
if queryset is None:
queryset = self.get_queryset()
pk = self.request.POST.get('id')
if not pk:
raise AttributeError("Post parameter 'id' is required.")
try:
obj = queryset.get(pk=pk)
except ObjectDoesNotExist:
import rules
from rules.predicates import is_superuser
from adhocracy4.modules.predicates import (is_context_initiator,
is_context_member,
is_context_moderator, is_owner,
is_public_context)
from adhocracy4.phases.predicates import (phase_allows_add,
phase_allows_change,
phase_allows_comment,
phase_allows_rate)
from .models import MapIdea
rules.add_perm('euth_maps.rate_mapidea',
is_superuser | is_context_moderator | is_context_initiator |
(is_context_member & phase_allows_rate))
rules.add_perm('euth_maps.comment_mapidea',
is_superuser | is_context_moderator | is_context_initiator |
(is_context_member & phase_allows_comment))
rules.add_perm('euth_maps.modify_mapidea',
is_superuser | is_context_moderator | is_context_initiator |
(is_context_member & is_owner & phase_allows_change))
rules.add_perm('euth_maps.propose_mapidea',
is_superuser | is_context_moderator | is_context_initiator |
import rules
@rules.predicate
def is_creator(user, image):
return user == image.creator.user
rules.add_perm('images.view', is_creator)
from rules import add_perm, always_allow, is_authenticated, predicate
@predicate
def is_self(user, gestalt):
return user == gestalt.user
@predicate
def is_public(user, gestalt):
return gestalt.public
add_perm('gestalten.view', is_public | (is_authenticated & is_self))
add_perm('gestalten.view_list', always_allow)
add_perm('gestalten.change', is_authenticated & is_self)
add_perm('gestalten.change_email', is_authenticated)
add_perm('gestalten.change_password', is_authenticated)
add_perm('gestalten.delete', is_authenticated)
add_perm('account.confirm', always_allow)
add_perm('account.set_password', is_authenticated)
add_perm('account.signup', ~is_authenticated)
@rules.predicate
def can_publish_podcast(user, podcast):
if user.has_perm('snotes20.publish_episode'):
return True
if podcast.mums.filter(id=user.id).exists():
return True
return False
@rules.predicate
def can_publish_episode(user, episode):
return can_publish_podcast(user, episode.podcast)
rules.add_perm('o_publish_episode', can_publish_episode)
def can_view_document(user, document):
return True
rules.add_perm('o_view_document', can_view_document)
def can_edit_document(user, document):
if not user.is_authenticated():
return False
return True
rules.add_perm('o_edit_document', can_edit_document)
import rules
@rules.predicate
def is_activity_editor(user, activity):
"""
The following users can edit an activity:
* The superuser
* The activity owner
"""
return activity.owner == user
@rules.predicate
def is_activity_inspector(user, activity):
"""
The following users can inspect the content of an activity including
student submissions and statistics:
* The superuser
* The activity owner
"""
return is_activity_editor(user, activity) or False
rules.add_perm('activities.edit_activity', is_activity_editor)
rules.add_perm('activities.inspect_activity', is_activity_inspector)
rules.add_perm('activities.view_submission_stats', is_activity_inspector)
user=user,
level=PermissionLevels.ADMIN,
tenant__in=zone.tenants.all(),
).exists()
@rules.predicate
def is_any_tenant_admin(user):
return Membership.objects.filter(user=user,
level=PermissionLevels.ADMIN).exists()
is_zone_tenant_member = rules.is_authenticated & is_zone_tenant_member
is_zone_tenant_admin = rules.is_authenticated & is_zone_tenant_admin
is_any_tenant_admin = rules.is_authenticated & is_any_tenant_admin
@rules.predicate
def is_admin(user):
return user.is_superuser
rules.add_perm('is_admin', is_admin)
rules.add_perm('tenants.list_zones', rules.is_authenticated)
rules.add_perm('tenants.view_zone', is_admin | is_zone_tenant_member)
rules.add_perm('tenants.delete_zone', is_admin | is_zone_tenant_admin)
rules.add_perm('tenants.create_zone', is_admin | is_any_tenant_admin)
rules.add_perm('tenants.create_record', is_admin | is_zone_tenant_member)
rules.add_perm('tenants.delete_record', is_admin | is_zone_tenant_member)
rules.add_perm('tenants.edit_record', is_admin | is_zone_tenant_member)
@rules.predicate
def member_of_team_role(user, role):
return not user.is_anonymous and \
user.teams.filter(pk__in=role.teams.values_list('pk', flat=True))
# Team predicates
@rules.predicate
def member_of_team(user, team):
return not user.is_anonymous and user.teams.filter(pk=team.pk).exists()
# Permissions
rules.add_perm('involvement', rules.always_allow)
rules.add_perm('involvement.list_contactcard', is_super | has_role_perm)
rules.add_perm('involvement.add_contactcard', is_super | has_role_perm)
rules.add_perm('involvement.change_contactcard', is_super
| member_of_team_contactcard & can_modify_contactcard)
rules.add_perm('involvement.delete_contactcard', is_super
| member_of_team_contactcard & can_modify_contactcard)
rules.add_perm('involvement.list_application', is_super | has_role_perm)
rules.add_perm('involvement.add_application', is_super | has_role_perm)
rules.add_perm('involvement.change_application', is_super
| member_of_team_appl & can_modify_application)
rules.add_perm('involvement.delete_application', is_super
| member_of_team_appl & can_modify_application)
"""Rules based permissions for the Q&A app"""
# pylint: disable=missing-docstring
# needed for rules
# Third Party
from rules import add_perm
# MuckRock
from muckrock.foia.rules import is_staff
add_perm("qanda.block", is_staff)
# pylint: disable=unused-argument, invalid-unary-operand-type
# Third Party
from rules import add_perm, always_deny, is_authenticated, predicate
# DocumentCloud
from documentcloud.core.rules import skip_if_not_obj
@predicate
@skip_if_not_obj
def is_private(user, organization):
return organization.private
@predicate
@skip_if_not_obj
def is_member(user, organization):
return organization.has_member(user)
is_public = ~is_private
can_view = is_public | (is_authenticated & is_member)
add_perm("organizations.view_organization", can_view)
add_perm("organizations.add_organization", always_deny)
add_perm("organizations.change_organization", always_deny)
add_perm("organizations.delete_organization", always_deny)
'Transaction',
'TransactionSector',
'User',
'UserProjects',
]
logger = logging.getLogger('akvo.rsr')
# Permission rules
import rules
from ..permissions import (is_rsr_admin, is_org_admin, is_org_user_manager,
is_org_me_manager,
is_org_me_manager_or_project_editor, is_org_user,
is_self, is_org_enumerator)
rules.add_perm('rsr', rules.always_allow)
rules.add_perm('rsr.add_benchmarkname', is_rsr_admin)
rules.add_perm('rsr.change_benchmarkname', is_rsr_admin)
rules.add_perm('rsr.add_country', is_rsr_admin)
rules.add_perm('rsr.change_country', is_rsr_admin)
rules.add_perm('rsr.add_budgetitemlabel', is_rsr_admin)
rules.add_perm('rsr.change_budgetitemlabel', is_rsr_admin)
rules.add_perm('rsr.add_category', is_rsr_admin)
rules.add_perm('rsr.change_category', is_rsr_admin)
rules.add_perm('rsr.add_focusarea', is_rsr_admin)
rules.add_perm('rsr.change_focusarea', is_rsr_admin)
# Copyright 2018, GeoSolutions Sas.
# All rights reserved.
#
# This source code is licensed under the BSD-style license found in the
# LICENSE file in the root directory of this source tree.
#
#########################################################################
"""Permissions for accessing track resources and info
These permissions are kept in memory, they do not need to be stored in the db
"""
import logging
import rules
import profiles.rules
logger = logging.getLogger(__name__)
for perm, predicate in {
"can_list_segments": profiles.rules.is_privileged_user,
"can_list_tracks": profiles.rules.is_privileged_user,
"can_list_own_segments": profiles.rules.is_end_user,
"can_delete_own_segments": profiles.rules.is_end_user,
"can_list_own_tracks": profiles.rules.is_end_user,
"can_delete_own_tracks": profiles.rules.is_end_user,
}.items():
rules.add_perm("tracks.{}".format(perm), predicate)
"""
Django rules for accounts
"""
from __future__ import absolute_import
from django.conf import settings
import rules
@rules.predicate
def can_retire_user(user):
"""
Returns whether the user can retire accounts
"""
return (
user.username == settings.RETIREMENT_SERVICE_WORKER_USERNAME or
user.is_superuser
)
rules.add_perm('accounts.can_retire_user', can_retire_user)
@rules.predicate
def can_view(user, association):
return associations_models.Association.objects.can_view(user, container='content') \
.filter(pk=association.pk).exists()
@rules.predicate
def is_member_of_associated_group(user, content):
for group in content.get_associated_groups():
if memberships.is_member_of(user, group):
return True
return False
rules.add_perm(
'content.list',
rules.always_allow)
rules.add_perm(
'content.view',
can_view)
rules.add_perm(
'content.comment',
rules.is_authenticated & can_view)
rules.add_perm(
'content.create',
rules.is_authenticated)
rules.add_perm(
"""
request = get_request_or_stub()
decoded_jwt = get_decoded_jwt_from_request(request)
if not context:
return False
return request_user_has_implicit_access_via_jwt(
decoded_jwt, ENTERPRISE_COUPON_ADMIN_ROLE, context)
@rules.predicate
def request_user_has_explicit_access(user, context):
"""
Check that if request user has explicit access to `ENTERPRISE_COUPON_ADMIN_ROLE` feature role.
Returns:
boolean: whether the request user has access or not
"""
if not context:
return False
return user_has_access_via_database(user,
ENTERPRISE_COUPON_ADMIN_ROLE,
EcommerceFeatureRoleAssignment,
context=context)
rules.add_perm(
'enterprise.can_view_coupon',
request_user_has_implicit_access | request_user_has_explicit_access)
rules.add_perm(
'enterprise.can_assign_coupon',
request_user_has_implicit_access | request_user_has_explicit_access)
import rules
from codeschool.lms.activities.rules import is_editor
rules.add_perm('questions.edit_question', is_editor)
import rules
from adhocracy4.modules import predicates as module_predicates
from meinberlin.apps.contrib import predicates as contrib_predicates
from . import models
rules.add_perm(
'meinberlin_polls.change_poll',
module_predicates.is_context_initiator |
module_predicates.is_context_moderator
)
rules.add_perm(
'meinberlin_polls.view_poll',
(module_predicates.is_project_admin |
(module_predicates.is_allowed_view_item &
contrib_predicates.has_context_started))
)
rules.add_perm(
'meinberlin_polls.comment_poll',
module_predicates.is_allowed_comment_item
)
# It has to be ensured that the permission is always checked against a module
# never a Vote object.
rules.add_perm(
'meinberlin_polls.add_vote',
module_predicates.is_allowed_add_item(models.Vote)
profile = user.profile
return profile.role == Profile.INTERN
except (ObjectDoesNotExist, AttributeError):
return False
@rules.predicate
def is_staff(user):
try:
profile = user.profile
return profile.role == Profile.STAFF
except (ObjectDoesNotExist, AttributeError):
return False
rules.add_perm("planner.view_intern_site", is_intern)
rules.add_perm("planner.view_staff_site", is_staff)
rules.add_perm("accounts.user.view_all", is_staff)
rules.add_perm("accounts.profile.view_all", is_staff)
rules.add_perm("accounts.intern.view_all", is_staff)
rules.add_perm("rotations.rotation.view_all", is_staff)
rules.add_perm("rotations.requested_department.view_all", is_staff)
rules.add_perm("rotations.rotation_request.view_all", is_staff)
rules.add_perm("rotations.rotation_request_response.view_all", is_staff)
rules.add_perm("rotations.rotation_request_forward.view_all", is_staff)
rules.add_perm("rotations.rotation_request_forward_response.view_all", is_staff)
rules.add_perm("months.internship.view_all", is_staff)
import rules
from . import models
@rules.predicate
def is_client(role, obj):
return obj and role.type == role.CLIENT_ROLE and role.client == obj
rules.add_perm('clients.view_client', is_client)
rules.add_perm('clients.change_client', is_client)
@rules.predicate
def is_own_authorization(role, obj):
return obj and role.type == role.PERSON_ROLE and role.person == obj.person
rules.add_perm('clients.view_authorization', is_own_authorization)
rules.add_perm('clients.change_authorization', is_own_authorization)
rules.add_perm('clients.delete_authorization', is_own_authorization)
# Create your models here.
class ContentCard(models.Model):
title = models.CharField(max_length=100)
message = models.TextField()
objects = InheritanceManager()
from_user = models.ForeignKey(User, default=1, related_name="creator")
@rules.predicate
def is_creator(user, card):
return card.from_user == user
rules.add_perm("cards.is_creator", is_creator)
class ImageCard(ContentCard):
image_url = models.CharField(max_length=10000, blank=True)
def render(self):
return self.title, self.message
class TextCard(ContentCard):
mood = models.CharField(max_length=100)
tag = models.CharField(max_length=100, default=" ")
class VideoCard(ContentCard):
from rules import add_perm, is_authenticated, predicate
@predicate
def is_subscribed(user, model):
return user.gestalt.subscriptions \
.filter(subscribed_to_type=model.content_type, subscribed_to_id=model.id) \
.exists()
add_perm('subscriptions.create',
~is_authenticated | (is_authenticated & ~is_subscribed))
add_perm('subscriptions.delete', is_authenticated & is_subscribed)
# -*- coding: utf-8 -*-
import rules
from rules.predicates import is_staff
from rules.predicates import is_superuser
from core.journal.predicates import is_journal_member
from .defaults import AuthorizationConfig as AC
from .predicates import HasAuthorization
# This permission assume to use a 'Journal' object to perform the perm check
rules.add_perm(
'authorization.manage_authorizations',
is_superuser | is_staff |
is_journal_member & HasAuthorization(AC.can_manage_authorizations),
)
from .utils import in_editable_period
# Business rules
@rules.predicate
def is_a_business_owner(user):
return user.profile.is_owner
@rules.predicate
def is_business_owner(user, business):
return user.profile.business == business and user.profile.is_owner
rules.add_perm('cashup.view_business', is_business_owner)
rules.add_perm('cashup.change_business', is_business_owner)
# Personnel rules
@rules.predicate
def is_personnel_business_owner(user, personnel):
return is_business_owner(user, personnel.business)
@rules.predicate
def is_personnel(user, personnel):
return user.profile == personnel
from rules import predicate, add_perm, is_authenticated
from speedy.core.accounts.base_rules import is_self
from speedy.core.blocks.rules import there_is_block
from speedy.core.accounts.models import User
from .models import UserLike
@predicate
def already_likes(user, other_user):
return UserLike.objects.filter(from_user=user, to_user=other_user).exists()
@predicate
def both_are_users(user, other_user):
return ((isinstance(user, User)) and (isinstance(other_user, User)))
add_perm('likes.like', is_authenticated & ~is_self & ~there_is_block & ~already_likes & both_are_users)
add_perm('likes.unlike', is_authenticated & ~is_self & ~there_is_block & already_likes & both_are_users)
add_perm('likes.view_likes', is_authenticated & is_self)
from friendship.models import Friend
from rules import predicate, add_perm, is_authenticated
from speedy.core.accounts.base_rules import is_self
from speedy.core.blocks.rules import there_is_block
@predicate
def friend_request_sent(user, other_user):
return other_user.id in [fr.to_user_id for fr in Friend.objects.sent_requests(user=user)]
@predicate
def is_friend(user, other_user):
return Friend.objects.are_friends(user1=user, user2=other_user)
are_friends = is_friend
add_perm('friends.request', is_authenticated & ~is_self & ~friend_request_sent & ~is_friend & ~there_is_block)
add_perm('friends.cancel_request', is_authenticated & friend_request_sent)
add_perm('friends.view_requests', is_self)
add_perm('friends.remove', is_authenticated & is_friend)
import rules
from rules.predicates import is_superuser
from euth.organisations.predicates import is_initiator
from .predicates import is_live, is_member, is_public
rules.add_perm('euth_projects.edit_project',
is_superuser | is_initiator)
rules.add_perm('projects.view_project',
is_superuser | is_initiator |
((is_public | is_member) & is_live))
# -*- coding: utf-8 -*-
import rules
from rules.predicates import is_authenticated
from rules.predicates import is_staff
from rules.predicates import is_superuser
from core.authorization.defaults import AuthorizationConfig as AC
from core.authorization.predicates import HasAuthorization
from core.journal.predicates import is_journal_member
# This permission assume to use a 'Journal' object to perform the perm check
rules.add_perm(
'editor.manage_issuesubmission',
is_authenticated & (
is_superuser | is_staff |
(is_journal_member & HasAuthorization(AC.can_manage_issuesubmission))
),
)
rules.add_perm(
'editor.review_issuesubmission',
is_authenticated & (is_superuser | HasAuthorization(AC.can_review_issuesubmission)),
)
@rules.predicate
def can_view_problem(user, problem):
displayable = is_challenge_displayable(user, problem.challenge)
if not displayable:
return False
if settings.PROLOGIN_SEMIFINAL_MODE:
from contest.models import Contestant
return problem in Contestant.objects.get(
user=user,
edition=settings.PROLOGIN_EDITION).available_semifinal_problems
return displayable
@rules.predicate
def is_code_submission_owner(user, code):
return user == code.submission.user
# Permissions
rules.add_perm('problems.view_challenge',
rules.is_staff | is_challenge_displayable)
rules.add_perm('problems.view_problem', rules.is_staff | can_view_problem)
rules.add_perm('problems.view_code_submission',
rules.is_staff | is_code_submission_owner)
rules.add_perm('problems.view_others_submissions', rules.is_staff)
rules.add_perm('problems.create_problem_code_submission',
rules.is_staff | can_view_problem)
rules.add_perm('problems.recorrect_submission', rules.is_staff)
# Third Party Libraries
import rules
# Localhub
from localhub.communities.rules import is_admin, is_inactive_member, is_member
@rules.predicate
def is_sender(user, join_request):
return user == join_request.sender
@rules.predicate
def is_community_admin(user, join_request):
return is_admin(user, join_request.community)
@rules.predicate
def is_join_request_allowed(user, community):
return community.allow_join_requests
rules.add_perm(
"join_requests.create",
is_join_request_allowed & ~is_member & ~is_inactive_member
& rules.is_authenticated,
)
rules.add_perm("join_requests.delete", is_sender | is_community_admin)
import rules
@rules.predicate
def is_in_relation(boby, relation):
if boby in (relation.inviter, relation.invited):
return True
return False
@rules.predicate
def is_admin(boby):
return boby.is_staff or boby.is_superuser
rules.add_rule('can_change_bobyrelation', is_in_relation | is_admin)
rules.add_rule('can_upload_users', is_admin)
rules.add_perm('core.change_bobyrelation', is_in_relation | is_admin)
import rules
from rules.predicates import is_superuser
from adhocracy4.modules import predicates as module_predicates
rules.add_perm(
'a4_candy_moderatorremark.add_moderatorremark',
is_superuser | module_predicates.is_context_moderator
| module_predicates.is_context_initiator)
rules.add_perm(
'a4_candy_moderatorremark.change_moderatorremark',
is_superuser | module_predicates.is_context_moderator
| module_predicates.is_context_initiator)
if obj:
if hasattr(obj, 'owner'):
return user == obj.owner
else:
return False
else:
return False
# 判斷物件是否為該單位人員可管理
@rules.predicate
def is_org_object(user, obj):
if obj:
try:
return user.org == obj.owner.org
except:
return False
else:
return False
rules.add_perm('is_superuser', is_superuser)
rules.add_perm('is_manager', is_manager)
rules.add_perm('is_editor', is_editor)
rules.add_perm('is_guest', is_guest)
rules.add_perm('is_self', is_self)
rules.add_perm('is_owner_object', is_owner_object)
rules.add_perm('is_org_object', is_org_object)
rules.add_perm(
'is_manager_object',
(is_owner_object | (is_org_object & is_manager))
)
def is_project_admin(user, crowdsource):
return (crowdsource.project_admin and crowdsource.project
and crowdsource.project.has_contributor(user))
@predicate
@skip_if_not_obj
def has_gallery(user, crowdsource):
return crowdsource.fields.filter(gallery=True).exists()
is_crowdsource_admin = is_owner | is_staff | is_project_admin
can_view = has_gallery | is_crowdsource_admin
add_perm('crowdsource.add_crowdsource', has_feature_level(1) | is_experimental)
add_perm('crowdsource.change_crowdsource', is_crowdsource_admin)
add_perm('crowdsource.view_crowdsource', can_view)
add_perm('crowdsource.delete_crowdsource', always_deny)
add_perm('crowdsource.form_crowdsource',
~is_project_only | is_contributor | is_crowdsource_admin)
def crowdsource_perm(perm):
@predicate('crowdsource_perm:{}'.format(perm))
def inner(user, crowdsource_response):
return user.has_perm('crowdsource.{}_crowdsource'.format(perm))
return inner
content_type = models.ForeignKey(ContentType)
target_id = models.PositiveIntegerField()
target = GenericForeignKey('content_type', 'target_id')
view = 'accept_delete'
def accept(self):
object_ = self.target
object_.delete()
self.state = RequestStates.ACCEPTED
self.save()
def __str__(self):
return 'Delete {}'.format(self.target)
rules.add_perm('powerdns.add_deleterequest', rules.is_authenticated)
class ChangeCreateRequest(Request):
"""Abstract change/create request"""
ignore_fields = {'owner', 'created', 'modified'}
class Meta:
abstract = True
def accept(self):
object_ = self.get_object()
for field_name in type(self).copy_fields:
if field_name in self.ignore_fields:
continue
import rules
rules.add_perm('semifinal.monitor', rules.is_staff)
rules.add_perm('semifinal.participate', rules.is_authenticated & rules.is_active)
@predicate
def can_access(user, contribution):
for association in contribution.container.associations.all():
if can_view(user, association):
return True
return False
@predicate
def is_conversation(user, contribution):
return contribution.container.is_conversation
@predicate
def is_creator(user, contribution):
return contribution.author == user.gestalt
@predicate
def is_multi_user_contribution(user, contribution):
associations = contribution.container.associations
return associations.count() > 1 or associations.first().entity.is_group
add_perm('contributions.delete', ~is_conversation & is_authenticated & is_creator)
add_perm('contributions.reply_to_author', is_multi_user_contribution & can_access)
add_perm('contributions.view_internal', is_authenticated & is_member_of_associated_group)
import rules
@rules.predicate
def event_is_active(user, event):
return event and event.is_active
@rules.predicate
def edition_is_active(user, edition):
return edition and edition.is_active
@rules.predicate
def can_download_home(user, contestant):
return contestant.is_home_public or contestant.user == user
rules.add_perm('contest.submit_qualification',
rules.is_authenticated & event_is_active)
rules.add_perm('correction.can_correct', rules.is_staff)
rules.add_perm('contest.can_download_home', can_download_home | rules.is_staff)
rules.add_perm('contest.interschool.view_leaderboard', edition_is_active)
import rules
@rules.predicate
def is_feedback_author(user, feedback):
return user == feedback.user
@rules.predicate
def was_first_feedback_for_contactpoint(user, contactpoint):
return contactpoint.feedback.filter(user=user).count() == 1
rules.add_perm('contact.feedback_create', is_feedback_author | rules.is_staff)
rules.add_perm('contact.feedback_publish', was_first_feedback_for_contactpoint | rules.is_staff)
from .models import AccessLevelChoice
import rules
@rules.predicate
def has_access_permission(user, product):
if product.access_level == AccessLevelChoice.private.name:
if product.seller != user:
return False
return True
rules.add_perm('products.can_access', has_access_permission)
settings.AUTH_USER_MODEL,
null=False,
blank=False,
related_name='issued_authorisations',
)
authorised = models.ForeignKey(
settings.AUTH_USER_MODEL,
null=False,
blank=False,
related_name='received_authorisations',
)
content_type = models.ForeignKey(ContentType)
target_id = models.PositiveIntegerField()
target = GenericForeignKey('content_type', 'target_id')
def __str__(self):
return '{} authorised {} to {}'.format(
self.owner,
self.authorised,
self.target,
)
rules.add_perm('powerdns.add_authorisation', rules.is_authenticated)
rules.add_perm(
'powerdns.change_authorisation', (rules.is_superuser | is_owner)
)
rules.add_perm(
'powerdns.delete_authorisation', (rules.is_superuser | is_owner)
)
import rules
from mcod.lib.rules import assigned_to_organization, users_is_editor
rules.add_perm('resources', rules.always_allow)
rules.add_perm('resources.add_resource', assigned_to_organization)
rules.add_perm('resources.view_resource', assigned_to_organization)
rules.add_perm('resources.change_resource', assigned_to_organization)
rules.add_perm('resources.delete_resource', users_is_editor)
rules.add_perm('resources.view_resourcetrash', users_is_editor)
rules.add_perm('resources.change_resourcetrash', users_is_editor)
import rules
from rules.predicates import is_superuser
from euth.modules.predicates import (is_context_initiator, is_context_member,
is_context_moderator, is_public_context)
from euth.phases.predicates import phase_allows_comment
rules.add_perm('euth_documents.comment_paragraph',
is_superuser | is_context_moderator | is_context_initiator |
(is_context_member & phase_allows_comment))
rules.add_perm('euth_documents.comment_document',
is_superuser | is_context_moderator | is_context_initiator |
(is_context_member & phase_allows_comment))
rules.add_perm('euth_documents.create_document',
is_superuser | is_context_moderator | is_context_initiator)
rules.add_perm('euth_documents.view_paragraph',
is_superuser | is_context_moderator | is_context_initiator |
is_context_member | is_public_context)
except User.DoesNotExist:
logger.error(
f'Permission is_instructor_in_course_id: user {user.id} is not an instructor in course {course_id}'
)
result = False
# set cache
self.context[f"{user.id}|{course_id}"] = result
return result
is_admin_or_enrolled_in_course = is_admin | is_enrolled_in_course
is_admin_or_enrolled_in_course_or_load_pending = is_admin_or_enrolled_in_course | course_is_not_loaded
is_admin_or_enrolled_in_course_id = is_admin | is_enrolled_in_course_id
is_admin_or_instructor_in_course = is_admin | is_instructor_in_course
is_admin_or_instructor_in_course_id = is_admin | is_instructor_in_course_id
# api
rules.add_perm('dashboard.get_course_info',
is_admin_or_enrolled_in_course_or_load_pending)
rules.add_perm('dashboard.update_course_info',
is_admin_or_instructor_in_course)
rules.add_perm('dashboard.resource_access_within_week',
is_admin_or_enrolled_in_course)
rules.add_perm('dashboard.grade_distribution', is_admin_or_enrolled_in_course)
rules.add_perm('dashboard.update_user_default_selection_for_views',
is_admin_or_enrolled_in_course)
rules.add_perm('dashboard.get_user_default_selection',
is_admin_or_enrolled_in_course)
rules.add_perm('dashboard.assignments', is_admin_or_enrolled_in_course)
import rules
@rules.predicate
def is_teacher(user, page):
"""
The following users are treated as teachers:
* The superuser
* The page owner
"""
return page.owner == user
rules.add_perm('attendance.see_passphrase', is_teacher)
rules.add_perm('activities.edit_passphrase', is_teacher)
from rules import predicate, add_perm, is_authenticated
from speedy.core.accounts.base_rules import is_self
from speedy.core.blocks.rules import there_is_block
from speedy.core.accounts.models import User
from .models import UserLike
@predicate
def you_like_user(user, other_user):
return UserLike.objects.filter(from_user=user, to_user=other_user).exists()
@predicate
def user_likes_you(user, other_user):
return UserLike.objects.filter(from_user=other_user, to_user=user).exists()
@predicate
def both_are_users(user, other_user):
return ((isinstance(user, User)) and (isinstance(other_user, User)))
add_perm(
'likes.like', is_authenticated & ~is_self & ~there_is_block
& ~you_like_user & both_are_users)
add_perm(
'likes.unlike', is_authenticated & ~is_self & ~there_is_block
& you_like_user & both_are_users)
add_perm('likes.view_likes', is_authenticated & is_self)
# -*- coding: utf-8 -*-
from __future__ import absolute_import
from __future__ import unicode_literals
import rules
from rules.predicates import is_staff
from rules.predicates import is_superuser
from wikilegis.core.models import Bill
@rules.predicate
def is_bill_editor(user, bill):
if bill is None:
return Bill.objects.filter(editors__pk__in=user.groups.values('pk')).count()
else:
return user.groups.filter(pk__in=bill.editors.values('pk')).count() > 0
@rules.predicate
def is_segment_editor(user, segment):
return is_bill_editor(user, segment.bill if segment else None)
rules.add_perm('core.change_bill', is_superuser | is_staff & is_bill_editor)
rules.add_perm('core.add_billsegment', is_superuser | is_staff & is_segment_editor)
rules.add_perm('core.change_billsegment', is_superuser | is_staff & is_segment_editor)
rules.add_perm('core.delete_billsegment', is_superuser | is_staff & is_segment_editor)
def allow_check(user):
return True
@rules.predicate()
def is_event_creator(user, content):
print('content', content)
print('user', user)
# return content.created_by == user
# return Event.objects.filter(created_by=user).exists()
@rules.predicate
def can_create_event(user):
# write some predicate here instead of just returning True
return True
rules.add_perm('event_app.create_event', is_user)
rules.add_perm('event_app.delete_event', is_event_creator)
rules.add_perm('event_app.list_events', allow_check)
rules.add_perm('event_app.update_event', allow_check)
"""
Example Usage of rules:
@rules.predicate
def is_a_climber(user):
return Climber.objects.filter(user=user).exists()
@rules.predicate
def is_a_routesetter(user):
return RouteSetter.objects.filter(user=user).exists()
from rules import add_perm, is_authenticated, predicate
@predicate
def is_subscribed(user, model):
return user.gestalt.subscriptions \
.filter(subscribed_to_type=model.content_type, subscribed_to_id=model.id) \
.exists()
add_perm('subscriptions.create', ~is_authenticated | (is_authenticated & ~is_subscribed))
add_perm('subscriptions.delete', is_authenticated & is_subscribed)
add_perm('subscriptions.delete_request', ~is_authenticated)
@rules.predicate
def has_explicit_access_to_reporting_api(user, obj):
"""
Check that if request user has explicit access to `ENTERPRISE_REPORTING_CONFIG_ADMIN_ROLE` feature role.
Returns:
boolean: whether the request user has access or not
"""
return user_has_access_via_database(
user, ENTERPRISE_REPORTING_CONFIG_ADMIN_ROLE,
EnterpriseFeatureUserRoleAssignment, obj)
rules.add_perm(
'enterprise.can_access_admin_dashboard',
has_implicit_access_to_dashboard | has_explicit_access_to_dashboard)
rules.add_perm('enterprise.can_view_catalog',
has_implicit_access_to_catalog | has_explicit_access_to_catalog)
rules.add_perm(
'enterprise.can_enroll_learners', has_implicit_access_to_enrollment_api
| has_explicit_access_to_enrollment_api)
rules.add_perm(
'enterprise.can_manage_reporting_config',
has_implicit_access_to_reporting_api
| has_explicit_access_to_reporting_api)
ordering = ['-updated']
class Issue(models.Model):
content_type = models.ForeignKey(ContentType)
object_id = models.PositiveIntegerField()
target = GenericForeignKey('content_type', 'object_id')
name = models.CharField(max_length=256)
def get_absolute_url(self):
return self.target.get_absolute_url()
@rules.predicate
def is_dog_owner(user, dog):
return dog.owner == user
rules.add_perm('core.change_dog', is_dog_owner)
def dog_with_empty_gallery(self):
return True # FIXME
def default_dog(self):
return self.dogs.first()
User.empty_gallery = dog_with_empty_gallery
User.default_dog = default_dog
).exists()
@rules.predicate
def is_reviewer(user, obj):
if not user or user.is_anonymous or not obj:
return False
from pretalx.person.models import EventPermission
return user.is_administrator or EventPermission.objects.filter(
user=user, event=obj.event, is_reviewer=True
).exists()
@rules.predicate
def is_administrator(user, obj):
return user.is_administrator
@rules.predicate
def person_can_view_information(user, obj):
event = obj.event
submissions = event.submissions.filter(speakers__in=[user])
if obj.include_submitters:
return submissions.exists()
if obj.exclude_unconfirmed:
return submissions.filter(state=SubmissionStates.CONFIRMED).exists()
return submissions.filter(state__in=[SubmissionStates.CONFIRMED, SubmissionStates.ACCEPTED]).exists()
rules.add_perm('person.view_information', is_orga | person_can_view_information)
# -*- coding: utf-8 -*-
import rules
from rules.predicates import is_authenticated
from rules.predicates import is_staff
from rules.predicates import is_superuser
from core.authorization.defaults import AuthorizationConfig as AC
from core.authorization.predicates import HasAuthorization
rules.add_perm(
'royalty_reports.consult_royalty_reports',
is_authenticated & (
is_superuser | is_staff | HasAuthorization(AC.can_consult_royalty_reports)
),
)
import rules
from rules.predicates import is_superuser
from adhocracy4.modules.predicates import (is_context_initiator,
is_context_moderator)
from adhocracy4.phases.predicates import phase_allows_add
from .models import Question
rules.add_perm('a4_candy_questions.change_question',
is_superuser | is_context_moderator | is_context_initiator)
rules.add_perm('a4_candy_questions.propose_question',
phase_allows_add(Question))
rules.add_perm('a4_candy_questions.view_question', rules.always_allow)
from features.groups import rules as groups
from features.memberships import predicates as memberships
import rules
rules.add_perm(
'sharing.recommend_group',
rules.always_allow)
rules.add_perm(
'sharing.invite_member',
rules.is_authenticated
& memberships.is_member_of
& ~groups.is_closed)
import rules
from accounts.models import User
from .models import Event, Schedule
@rules.predicate
def is_schedule_owner(user: User, schedule: Schedule):
return schedule.user == user
@rules.predicate
def is_superuser(user: User):
return user.is_superuser
@rules.predicate
def is_event_owner(user: User, event: Event):
return event.schedule.user == user
rules.add_perm("scheduling.change_schedule", is_schedule_owner | is_superuser)
rules.add_perm("scheduling.view_schedule", is_schedule_owner | is_superuser)
rules.add_perm("scheduling.delete_schedule", is_schedule_owner | is_superuser)
rules.add_perm("scheduling.change_event", is_event_owner | is_superuser)
rules.add_perm("scheduling.view_event", is_event_owner | is_superuser)
rules.add_perm("scheduling.delete_event", is_event_owner | is_superuser)
from rules import add_perm, always_allow, is_authenticated, predicate
from features.memberships import predicates as memberships
@predicate
def is_closed(user, group):
return group.closed
@predicate
def is_group(user, entity):
return entity.is_group
add_perm('groups.create_group', always_allow)
add_perm('groups.view', always_allow)
add_perm('groups.view_list', always_allow)
add_perm('groups.change', is_authenticated & memberships.is_member_of)
add_perm('groups.change_subscriptions_memberships', is_authenticated)
})
class Meta:
ordering = ['begin', 'name']
unique_together = ('community', 'slug')
@rules.predicate
def can_edit_event(user, event):
if not user or not event:
return False
return user.has_perm('community.can_edit', event.community)
rules.add_perm('event.can_edit', can_edit_event)
@rules.predicate
def is_subscriber(user, event):
if not user or not event:
return False
return user in event.community.subscribers.all()
rules.add_perm('event.can_rsvp', is_subscriber)
rules.add_perm('event.can_create_comment', is_subscriber)
class EventRSVP(TimeStampedModel):
